Skip to content

Remove only from wp-packages config#817

Merged
retlehs merged 1 commit intoroots:masterfrom
tangrufus:only
Mar 21, 2026
Merged

Remove only from wp-packages config#817
retlehs merged 1 commit intoroots:masterfrom
tangrufus:only

Conversation

@tangrufus
Copy link
Copy Markdown
Member

@tangrufus tangrufus commented Mar 19, 2026

Copilot AI review requested due to automatic review settings March 19, 2026 21:13
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Composer repository configuration for wp-packages by removing the package allowlist, and regenerates the lockfile hash to reflect the config change.

Changes:

  • Remove the only allowlist from the wp-packages Composer repository entry.
  • Update composer.lock content hash to match the modified composer.json.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
composer.json Removes only from the wp-packages repository configuration.
composer.lock Updates the lockfile content-hash to reflect the composer.json change.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

composer.json
"wp-plugin/*",
"wp-theme/*"
]
"url": "https://repo.wp-packages.org"
Copy link

Copilot AI Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing the only whitelist means this repository can now advertise any package names, and Composer may prefer packages from repo.wp-packages.org over Packagist when a name exists in both repos. To avoid accidental/supply-chain shadowing of non-WordPress dependencies, consider setting this repository to canonical: false (or reintroduce a narrower allowlist/exclude list) while still allowing wp-plugin/* and wp-theme/* packages to resolve from it.

Suggested change
"url": "https://repo.wp-packages.org"
"url": "https://repo.wp-packages.org",
"canonical": false

Copilot uses AI. Check for mistakes.
@vinkla vinkla mentioned this pull request Mar 20, 2026
Merged
@retlehs retlehs merged commit 2593c3a into roots:master Mar 21, 2026
8 checks passed
@tangrufus tangrufus deleted the only branch March 21, 2026 19:53
xelmido pushed a commit to xelmedia/bedrock-headless-zilch that referenced this pull request Apr 1, 2026
@tangrufus
Remove only from wp-packages config (roots#817)
3d5da65
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@retlehs retlehs retlehs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tangrufus @retlehs